EXECUTIVE SUMMARY:
A .NET loader that hides malicious components inside ordinary image files and relies on social engineering to reach victims. Attackers deliver the loader as a convincing attachment that mimics familiar document icons, so recipients are more likely to open the file. Once executed, the loader reads two embedded image resources a bitmap and a PNG and reconstructs encrypted stub modules by iterating pixel channels and reassembling bytes stored across color values. The loader then performs XOR decryption using a hardcoded key to obtain a second-stage decryptor, which extracts and decrypts the final payload. The final payload observed is a remote access trojan that targets desktop endpoints and common client applications. Affected components include user workstations, popular web browsers, FTP client configuration files, and registry locations used by remote-transfer tools. By combining file-based steganography with phishing delivery and staged decryption, the attack evades many signature-based defenses and basic file-type filters. For organizations, the impact ranges from credential theft and unauthorized remote access to covert proxying of network traffic and potential use of infected hosts as pivot points.
The loader’s multi-stage process, obfuscation methods, and the payload’s capabilities. Execution begins when a user opens the malicious attachment; the loader inspects its managed resources for embedded image files and reconstructs a PNG decryptor stub from ARGB pixel data by extracting bytes from the R, G, and B channels. That stub reassembles and XOR-decrypts data from the embedded PNG using a hardcoded key to produce the final payload binary. The payload performs browser database parsing to harvest saved credentials, reads FTP client XML files and registry keys to obtain stored credentials, enumerates system details via WMI queries, and assembles configuration data that includes encrypted C2 settings and certificate material. The malware can remove the Mark-of-the-Web stream to reduce warnings, use native utilities such as shutdown.exe and schtasks.exe for reboot and persistence, and run command-shell delays to hinder sandbox detection. It also supports reverse-proxy features to route traffic through infected hosts and to enable pivoting.
It includes covert credential theft, persistent remote access, and the ability to repurpose compromised systems as network pivots. The combination of image-based steganography and staged runtime assembly reduces the effectiveness of static and signature-based scanning because the malicious components are not present in their final binary form until runtime reconstruction. Quasar-style functions amplify risk by harvesting browser-stored credentials and application configuration data that may unlock additional systems. Deletion of trust markers and use of scheduled tasks and native utilities increases operational resilience and gives attackers multiple ways to maintain presence. While this pattern focuses on remote access and data theft rather than immediate destructive actions, the proxying and tunneling features allow lateral movement and covert data transfer over the same channels used for command traffic. The behavior is representative of commodity RAT campaigns that combine social engineering, content obfuscation, and platform utilities to sustain long-term access.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Privilege Escalation | T1134.002 | Access Token Manipulation | Create Process with Token |
| Defense Evasion | T1027.003 | Obfuscated/Encrypted Files & Information | Steganography |
| T1553.005 | Subvert Trust Controls | Mark-of-the-Web Bypass | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1552.001 | Unsecured Credentials | Credentials in Files | |
| Discovery | T1082 | System Information Discovery | |
| Lateral Movement | T1090.004 | Proxy | Domain Fronting |
| Collection | T1608.002 | Stage Capabilities | Upload Malware |
| Command and Control | T1090.001 | Proxy | Internal Proxy |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Impact | T1529 | System Shutdown/Reboot |
|
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| B0032 | Executable Code Obfuscation | |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys |
| F0013 | Scheduled Tasks | |
| Discovery | E1082 | System Information Discovery |
| Credential Access | E1055 | Process Injection |
| Collection | E1083 | File/Directory Discovery |
| E1113 | Screen Capture | |
| Command & Control | B0031 | Domain Name Generation |
| C0002 | HTTP Communication | |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Exfiltration | E1020 | Automated Exfiltration |
REFERENCES:
The following reports contain further technical details: